BGP Peering Issue

Created: May 21, 2019 14:18:05Latest reply: May 24, 2019 08:36:21 573 12 0 0
  Rewarded Hi-coins: 0 (problem resolved)

Hi All,


Any help on this issue would be appreciated.


Trying to BGP Huawei Router pair to a Palo Alto Firewall Pair. One Router/Firewall is located in one data centre, the other in another data centre. They are linked by a layer eVPN tunnel.


BGP on Firewall is configured and establishes to the local router in the same data centre for both instances. I need to establish BGP connectivity from the firewall to the router in the other data centre. When I enable the path, BGP flaps on that path forcing BGP to reconnect practically every minute or less. One firewall of the pair is active and needs to pair to the two routers. The routers peer to the single firewall address. If the solution fails over to the other data centre, the same should occur to the opposite firewall. The passive firewall interfaces remain down when in passive state.


Checking the router BGP logs I get the following:

Date/Time : 2019-05-21 05:21+00:00
State : Down
Error Code : 4(Hold Timer Expired)
Error Subcode : 0(UnSpecific)
Notification : Send Notification

I have checked the BGP configuration - all okay. I have checked the MTU settings on the firewall interface and the BGP Peer router interface and both are set to 1500 bytes. The route between them is layer 2 so i believe this shouldn't impact anything.


BFD has been disabled on the firewall.


Any suggestions to resolving this?


As said, any help is appreciated.


Regards


Adrian

  • x
  • convention:

Featured Answers
chenhui
Admin Created May 23, 2019 11:11:47 Helpful(0) Helpful(0)

@southside hi!

I think you can check the source IP address which are used when establishing the EBGP peer.

If the route to this source IP address is learned from the other low priority route protocol, when these routes learned from the new higher priority route protocol, the previous route will be deleted from the routing-table and then the EBGP peer will go down because the routes are gone.
  • x
  • convention:

All Answers
Sergio93
Sergio93 Created May 21, 2019 14:23:03 Helpful(0) Helpful(0)

Hi,

Please help with the commands below:
<Huawei> display bgp peer
<Huawei>display current-configuration configuration bgp
Please tell us if the ping is working and which is the IP of the peer.
Thanks,
  • x
  • convention:

BEST ANSWER! If you think I earn it!
If this post was useful to you, please click the Helpful button and flag my post as a "BEST ANSWER" so others can benefit. Thank you
southside
southside Created May 21, 2019 14:44:06 Helpful(0) Helpful(0)

Hi,

When the session is established between flapping ping works otherwise it does not.

Did you want the output of those commands as it contains sensitive information.

Essentially both peering for firewall (F) to router (R) works locally (1) but not on cross connect between site 1(1) and site 2 (2). So:

F1 to R1 = BGP Established
F2 to R2 = BGP Established
F1 to R2 = BGP Flapping
F2 to R1 = BGP Flapping.

Checking BGP Log as mentioned above gave the hold timer expired. F1 to R2 for example connects identically as F2 to R2 but F2 is down and F1 is coming in via an extended L2 connection.

Regards

Adrian
  • x
  • convention:

Yehudi
Yehudi Created May 21, 2019 15:26:10 Helpful(0) Helpful(0)

What's the output of the display bgp troubleshooting command.
  • x
  • convention:

chenhui
chenhui Admin Created May 22, 2019 01:14:58 Helpful(0) Helpful(0)

Posted by southside at 2019-05-21 14:44 Hi, When the session is established between flapping ping works otherwise it does not. Did you want ...
I'm really confused about your description. you said one router/firewall is located in one data center, the other in another data center, they are linked by a layer eVPN ( did you mean EVPN? ) tunnel.
then you said F1 to R2 = BGP flapping F2 to R1 = BGP flapping, so how does these device connected to each other, may be you could draw a simple topology to show this.
  • x
  • convention:

southside
southside Created May 22, 2019 06:48:54 Helpful(0) Helpful(0)

as
  • x
  • convention:

uzzi
uzzi Created May 22, 2019 07:56:38 Helpful(0) Helpful(0)

Can you just double check on FW1 and FW2 that TCP port 179 is open for another session ? When you say you have checked BGP configuration I assume you have checked Hold down time, keep alive etc.


Kindest regards,
Uzair
  • x
  • convention:

Kindest%20Regards%3Cbr%20%2F%3E%0AMuhammad%20Uzair%3Cbr%20%2F%3E%0AHCIE%20%236776
uzzi
uzzi Created May 22, 2019 08:04:56 Helpful(0) Helpful(0)

Moreover can you do debugging and share the output.

debugging bgp all
terminal debugging
terminal monitor

Thank you.

Kindest regards,
Uzair
  • x
  • convention:

Kindest%20Regards%3Cbr%20%2F%3E%0AMuhammad%20Uzair%3Cbr%20%2F%3E%0AHCIE%20%236776
uzzi
uzzi Created May 22, 2019 09:01:56 Helpful(0) Helpful(0)

Posted by southside at 2019-05-21 09:44 Hi, When the session is established between flapping ping works otherwise it does not. Did you want ...
You can hide the public IPs by x.x. and give subnet information as well on both eBGP peer side please.
  • x
  • convention:

Kindest%20Regards%3Cbr%20%2F%3E%0AMuhammad%20Uzair%3Cbr%20%2F%3E%0AHCIE%20%236776
uzzi
uzzi Created May 22, 2019 12:06:15 Helpful(0) Helpful(0)

And to 100% sure if it is mpls MTU issue just create eBGP between both routers which are connected through service provider cloud, I tried to simulate it but unfortunately eNSP establishing bgp even on wrong MTU and I do not have big infrastructure to check it physically :) one more thing did you try to ping from FW to second side data center router with DF bit 1500 ? Also please check firewall policies and check it for a while with everything permit for testing.

Thank you.

Kindest regards,
Uzair
  • x
  • convention:

Kindest%20Regards%3Cbr%20%2F%3E%0AMuhammad%20Uzair%3Cbr%20%2F%3E%0AHCIE%20%236776
12
Back to list

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login